Biometric bank access challenges passwords

NZ Security Magazine, Aug/Sep 2017

The banking and finance sector is becoming a leader in biometric authentication

Keith Newman explores the rapidly evolving landscape of biometric authentication in the banking and finance sector. Can biometrics achieve the delicate – and sought after – balance between frictionless customer experience and impregnable security?

The banking and finance sector is becoming a leader in biometric authentication, capitalising on unique personal markers to bridge the widening gap between human fallibility and fraud.

Banks and financial services companies are looking to biometrics to tighten security by augmenting or replacing passwords and personal identification numbers (PINs), promising simpler, faster and more secure services and customer authentication.

It appears that we are reaching the limit of how many passwords and user name combinations we can memorise and manage as we subscribe to a growing number of online services. Failure to designate a different log-on for each service and to regularly change them is further increasing vulnerability.

When the Slempo Android Trojan was detected in New Zealand last year, popping up fake login pages over legitimate banking apps, the need for tougher security was further highlighted.

According to market researcher Lucintel, the global biometric systems market is expected to grow 15 percent annually from 2017, reaching around USD 32.4 billion by 2022. The report, Growth Opportunities in the Global Biometric System Market 2017-2022, says the biggest opportunities are in government, commercial, healthcare, and banking.

Heading off hackers

World leading biometric developers, including Safran SA, NEC Corporation, 3M Cogent, Precise Biometrics and Fujitsu, are looking to head off the growing incidence of hackers and phishing attacks.

Citibank's award winning Voice Biometrics Authentication takes only a minute to identify a customer with the company, claiming that this fundamentally changes the customer experience from ‘Who are you?' to ‘How can I help?'

Recent breakthroughs have been enabled by Apple’s Touch ID and a number of Android phones that allow additional layers of security.

BNZ has been using voice biometrics in its call centres since 2013, and ANZ began rolling out a biometric voice system in New Zealand earlier this year for transactions over $1,000 in its online GoMoney mobile banking app.

The system digitises and matches an individual's voice against a stored voiceprint, comparing pitch, cadence and tone. The bank is looking at other biometric voice security applications to make banking more secure.

Enjoying this article? Consider a subscription to the print edition of NZ Security Magazine.

Voice challenged

However, Lloyd Gallagher, director of Gallagher & Co consultants and a member of the Auckland District Law Society’s technology and law committee, warns voice biometrics may not be as secure as some claim.

He says scammers use a range of techniques including Voice over Internet Protocol (VoIP) recording or voice phishing, and there’s likely to be a rise in the use of “sampling technology” to play back voice and information in order to fool bank voice biometric security.

Also, the assumption that everyone’s voice is unique remains questionable, says Gallagher. He says even those with low technical capability can use VoIP technology to replay recordings, and these can be manipulated by more sophisticated scammers “to fool all manner of authentication systems”.

While the process assumes the voice sample taken is clean, pure and not open to interference, the FBI suggests it should only be one part of a multi-step security procedure.

Gallagher says experts are only just beginning to understand the harm that can be caused when the technology is misappropriated and asks why banks have been so quick to accept biometric voice as the only form of phone authentication.

In a heartbeat

Facial recognition, retina scans, fingerprinting, signature and voice recognition are not new, although they are going through a rapid evolution. The way we walk, our online behaviour, how we hold our phones, our heartbeat (e.g. Nymi heartbeat authentication), can also be unique to an individual.

According to Lucintel’s 2017 report, emerging trends include the development of “body odour, ear pattern, and lip biometrics and increasing use of advanced biometric sensors.”

The ASB says it’s working on biometrics for face recognition. Offshore, some banks already allow fingerprint scanning on mobile phones, and finger vein technology is gaining credence at ATMs in Japan and Poland. Apparently individual vein patterns are as unique as fingerprints, and remain that way from womb to tomb.

Other banks have begun using a combination of voice recognition and facial data and recognition alongside images of the unique red vein patterns on the whites of eyeballs, for high value clients.

The 2017 Unisys Security Index suggests around half of Kiwis are open to wearable biometrics technology that analyses human characteristics to confirm identity, including biometric fingerprint scans on smartwatches to secure payment apps.

However, Richard Parker, vice president financial services, Unisys Asia Pacific, argues that banks need a multi-pronged approach across technology and policies to reassure consumers that their data is safe. “There’s a fine line in delivering a frictionless customer experience whilst making sure they are secure,” he said.

While Lucintel predicts the financial and banking sector will experience the highest growth in biometric uptake, particularly through voice recognition systems, Gallagher says the public needs to be more educated about the risks and the potential security flaws in such processes.

He says customers need to be reassured of where the legal liability rests if things go wrong. “Will the banks still pick up the bill for fraud, or will the onus be on the customer to prove it wasn’t them that authenticated the call?”

Gallagher recommends two-factor security, based on a user selected password or a random authenticator plus a manual check, such as details of the last account transaction or a random security digit, to make it harder to break authentication.“I know banks want it easy, but security seldom is. A bit of hassle is what makes it more secure”.